1

Before I ask my question I would like to point out I am a web developer who normally uses Stack Overflow and new to Sever Fault, I think this is best place for this question.

I have recently started a new job, and among other things my IT department are reluctant to allow Putty access to the internet.

I am confident that there is a genuine reason for this and am just interested to know their reasons. I can imagine allowing any program access on any port access to the internet could be a security threat, but is there any particular reason Putty could be dangerous.

Thanks in advance.

Alan Whitelaw
  • 113

3 Answers3

2

I don't suspect it's PuTTY itself they are against, but the necessity to open a port on the firewall. Personally, we have a handful of users who need to use PuTTY to manage internal machines, and they are free to do that. If however they asked me to open the SSH port on the firewall, like your IT department I would be much more wary.

Have you actually asked them why? There's no need to be aggressive or confrontational, but a sensible "I appreciate your reluctance - could you please elaborate on your concerns, and can we chat about potential ways to mitigate the potential threat" (or words to that effect). You may be able to come to a compromise such that SSH is opened on the firewall, but only to certain explicitly defined external hosts.

Ben Pilbrow
  • 12,031
1

reasons are probably as simple as this: is there any business justification for your ssh access to external servers? you can use it [via ssh tunneling] to circumvent whatever corporate internet access policies / screening they have in place [and might be obliged to have in place by some specific regulations].

side note: i'm quite glad that i don't have to work in such environment and do not have to apply such policies on our users.

pQd
  • 30,537
0

Well, using putty you are able to set up an encrypted tunnel to an outside host. This makes you immune to any kind of traffic inspection tools since you can set up a HTTP/HTTPS or Socks proxy on this outside host and break every corporate restriction using this proxy. But disabling Putty (actually 22/tcp traffic) seems to be a kind of security by obscurity. You can always set up an outside SSH server using a legitimate port, say 80/tcp or 443/tcp or even 53/udp.

Alex
  • 8,089